IETF Logo Mail Archive

Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-06.txt

Ben Maddison <benm@workonline.africa> Thu, 30 September 2021 17:13 UTC

Return-Path: <benm@workonline.africa>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 657683A0553 for <sidrops@ietfa.amsl.com>; Thu, 30 Sep 2021 10:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=workonline.africa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4uOfxJCFJ3x5 for <sidrops@ietfa.amsl.com>; Thu, 30 Sep 2021 10:13:20 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2054.outbound.protection.outlook.com [40.107.21.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CEE83A07DB for <sidrops@ietf.org>; Thu, 30 Sep 2021 10:13:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VOCDiU9y7Ste6wDhqzAtNXmAqAd8s289TdlbQXKPgUk9ToXo08gPBv1BX/mSAfdc0/zkzmfArSDnB/oKfozi8kNdOQJ5ft7HfFx1lYi1iZjTt608pYTuTRSI7C/FOwziQ5JE6MoJ/gokpLwoTzDvSRPM3BEx0eY8KkXMzBli6S25mOg/9wLaORrWJuuqKfqo2jJe6dSWmUpzqqI9zBwa3firRgzp1gy8FHfbhvmZFsmjm8voRRBY4hX+NVfdiJP3YclHvUTOSUbRHT59XdYHdQFsDlJ2NjrAmyPyL2DqqY2hi/jrVZZREp+lqeMb7EgwgpNf/xKAuEOq09ktBmPe1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tVWKcFH4AEbNjWlft+GG+1US7VhtSfkD4/UELqE/d8k=; b=kkdqZl+uJQYpHJ3xMwzmfmCNjXnHbAJL3vM7gWTr5yNHpuLLsMxSCunqb5euvf+N0yhOYLnHd73AP8fySt+or/KnR7zgI6Xtu/SnHwCiqOQ5lFb5tyqNpU2eNGoP7V848Wf6MbzN7S1nIBb8zbIJwqtPUOrQrQ8voAKYTV+KgbLkbt+QqF0iX+rcgdxQfZzXM+Z+4ti2d9VbQBESqkdd+CoZhWxyt9Iwp+Cyl/sS82Fh9VUsDoqwkyC+Nxb7laduG05/7LDTNaLTdnKLCDii19IOfJTHauzpXla4XsWe9pVHE6hRVpZQFPFdAEAcO2i/hMqAPTBkdPH8RDssLa/5xg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=workonline.africa; dmarc=pass action=none header.from=workonline.africa; dkim=pass header.d=workonline.africa; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=workonline.africa; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tVWKcFH4AEbNjWlft+GG+1US7VhtSfkD4/UELqE/d8k=; b=gY1Yj38golCTDQwPHGxsGSGPvG6VJEhTv6/IqgvUeKLRmYa01Rgc3+RG3Efgn08IM9FCCXfKaJe/xH7hhHNgP2Ufiw0GTjGMz/5evYOYtdJ1lfpJTfZpf29+PWHgIgscQ6rsFSQDl6zbXuT0IVyq9jJ+bVOBfj34wfMyb9bD9Vc=
Authentication-Results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=workonline.africa;
Received: from AS8P190MB1078.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2e7::13) by AS8P190MB1208.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2ef::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.15; Thu, 30 Sep 2021 17:13:08 +0000
Received: from AS8P190MB1078.EURP190.PROD.OUTLOOK.COM ([fe80::a491:b858:4993:e5d9]) by AS8P190MB1078.EURP190.PROD.OUTLOOK.COM ([fe80::a491:b858:4993:e5d9%9]) with mapi id 15.20.4544.022; Thu, 30 Sep 2021 17:13:08 +0000
Date: Thu, 30 Sep 2021 19:13:02 +0200
From: Ben Maddison <benm@workonline.africa>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: Tim Bruijnzeels <tim@nlnetlabs.nl>, SIDR Operations WG <sidrops@ietf.org>
Message-ID: <20210930171302.m7b5utqceotecooc@benm-laptop>
References: <162730591845.29690.12178353991713962835@ietfa.amsl.com> <2457bdd2-de07-241f-b8e4-87206dabcf16@verizon.net> <28F0ACCE-4D0C-4D80-B4C5-4E8B9D05760F@nlnetlabs.nl> <51acd845-d937-34a1-359b-7379b45e3fe3@verizon.net> <49e73d37-6d26-7715-da60-c2411020d595@verizon.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="cvs2muzujvlmreyw"
Content-Disposition: inline
In-Reply-To: <49e73d37-6d26-7715-da60-c2411020d595@verizon.net>
X-ClientProxiedBy: CTXP275CA0037.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100:1::25) To AS8P190MB1078.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:2e7::13)
MIME-Version: 1.0
Received: from localhost (105.233.97.54) by CTXP275CA0037.ZAFP275.PROD.OUTLOOK.COM (2603:1086:100:1::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.14 via Frontend Transport; Thu, 30 Sep 2021 17:13:07 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: b5b4b415-0f50-48d4-5fe8-08d9843592c5
X-MS-TrafficTypeDiagnostic: AS8P190MB1208:
X-Microsoft-Antispam-PRVS: <AS8P190MB1208ADD8C3B07F9AC1D3BFC6C0AA9@AS8P190MB1208.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7ycSDrRbeCynj9frn9xHdeArLVCIBp3OvjPwQoL0e/6GzUxYnTV5Qufn+1asdJkRY6P8Xr5AsBYpKuOrmNPRkH72k5JaZjedhuo8htvagyNzUogOh3/ajBnHYXuu0uRhPZAd263SQ3ZjHmGsRpHwqKoRmZi6t+UqgzG51Z/AkabPqtt2gujUsvZrhUYLINxUSvJOHU76xhWUfnlYltG9AJCtnp9kgxfG54gA7CxbSENkihggo+l7K8Jn235j5XkAKotvuGrsYfA4y9s3ukPtVs2vYGTPjNFZyyIxiSziHvVeVoBMIOsLdeSvKyZ6gHXiU0hOEVwM0ZaQIbGkk11EKB59MRReRLY01doawAxnAlw4+aWJdRDf7sEum4TIzdVAXth8KQvoO9md+CwzEraqL7z1NqKM9sND9FY263lwAGH2IJva2oXKs1PohZFs+s0dDFdeTzsDyHx848BVr3qyDTng8QjNXYDHxK5WoBr+HqV5iYA11tBQCErLk6PQkWBw58ZyESr7iiMzmeZhIWnz2n+GSyXFaJjFJfJvqttNDiqUIHlQ+RUE/wGrURYNv/w59bdrpLnCHblL3kfTOgpflFYuT1y6xaxe8vnl/jNPpThc2kufmlbIa7cUScsNf6dh6lQio6hH/ZiNv23f7xgsMzSW/shQxvIc90Iz1NAkMdNO55qAkhf1rz/hlshv8kIlrc2QcLoEqu3sskCpdNVxUEWOMv5FpMJeGJkzIYMwkBN7fqlF2Z75CAftiVNYs8bX
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8P190MB1078.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(136003)(376002)(39830400003)(396003)(346002)(366004)(66946007)(316002)(86362001)(956004)(8936002)(52116002)(21480400003)(66556008)(38350700002)(4326008)(6496006)(38100700002)(1076003)(2906002)(6486002)(8676002)(66476007)(9686003)(44144004)(508600001)(5660300002)(26005)(6666004)(33716001)(19627235002)(54906003)(83380400001)(186003)(46492013)(2700100001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: /7ISwYdIczKAevUPEYQBztyxsH86K30KAoR7KMEPTwZffZuo0cHOgExnbJhGXrLSF/im+Sb2Go/CqI8v8tMfgiNBoZToKz86vE9TmF76dC5QMwA7Oguc+OOeiBvjC8NOgxs+DOU2pWF9S5wUxPueuA5GPULcLTY3J7Kx0e1XDap8t40wwkAykR53xceJzSwGL4vdHc2gBjV7qZPOISuPsC6uVpVdWw3Osek9qD6pzHBAOrEwrYmy7sIGErS+rjQ4as1HBJ80kOZrdM4heqpj7lWgwnmoOQrCVSBsTjfde2zPY6dJZk+FgBVU62e3vwUT7EjtDtJ5MQKyCkqWPeBpHmkXWOkwLllFOdhrzEnH9ER3f5UE3vRIeRr3Nskt1jSTRJsgJvX7JwaaYRhI9sQatbFzKf/S8i/xCwI7UdhhI1pZMzRd9sCA8mtHohtDqbWoUki+FwmmwnrX/VPFR1E4tWBBzFF5rggb3ME92H7TdAWeez1wu0ckDTe75cpTpT/GYgTbIjbTcJuYhjtAVDyuXRAPY3oRhIyCoNdGeB9akhxPyLQVj8vHV3rc2wfWGnH4sy9IWq3Sinn5hWidkQExo46NLriUx4HLz0EhfabSDMEtTPPouG/Mtn8TLZ+pobc7wtYS1Wenh//+s77TsYWz/OkY76HR3dXEr4pJV8LudkCk86DzXsFCEiCMR/wLCEBaBBkxSjCXi2CT8HI9oXsVhql3Z1mMQdPvPN2UF9+Ns42y4dbdV1WaWog0CsGYFcnVFpcaHNsPOW1hAJRqPnykq+btekSoBK/7CqZjXgbv+Qari9pOe/ggFxgU6gradJjT3cd/uxYr7TDWpBtYW3W4xcd4k591U0W+HtncSl5I5NTUxxoQiU+GmmmON1BwmnZv2lTCjAUYzgWb4575mCZMuvonueCk5BXf0CxFexp+USr/dvcdfOREdH0kYWJtPLINLc1UBIQrj7Lwb3pgYLhRhnd9FyKAT+R25FSJ+lOfGDJs3Y9uqXNUqkZ2BWWQOtwTl8afQWumenSTWlfZeTjpHpoP0B8XBwdSYM44UcH7e5mmTIfA3YkMyAzIiWWUtu4AJaig5sM+mWkdxU6w7fsvTI7QnKWowDOJhozDM7Fkj8VNdFpLfRia6YdEpJ9RklVDbaHl23f2qwrOX/csNa1MwN7NHDSAQr8P04GV0/kdWVzP9UIFTslxdqaOLfhmNLyYYMHL7lNRDPyd7HNr/OUkvClzO5RC1D1+NsKu60wRh+ZQWdHdtzftgu+UCTMCefhth7nzPJEDETuXCKp/bWKceL9B76hyyKeY6ZNF6l+7aRLxcBCITOBoj2eIJ7ISk8jY
X-OriginatorOrg: workonline.africa
X-MS-Exchange-CrossTenant-Network-Message-Id: b5b4b415-0f50-48d4-5fe8-08d9843592c5
X-MS-Exchange-CrossTenant-AuthSource: AS8P190MB1078.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Sep 2021 17:13:08.4419 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: b4e811d5-95e8-453a-b640-0fba8d3b9ef7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Hv7E7z42m6VO2YyzftQNp6ijYUrd8+wQYBPgN4ST4IMv64gwAmM0TqJxFrE43vff89Z2GDIJqvdx2pPi9vr6MQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P190MB1208
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/1oW2KpIp7kZFfaIjUZPzGDF9ulQ>
Subject: Re: [Sidrops] I-D Action: draft-ietf-sidrops-6486bis-06.txt
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 17:13:27 -0000

Hi Steve, Russ, all,

On 09/26, Stephen Kent wrote:
> 
> Tim,
> 
> I'll wait to see what other WG members suggest before making this change,
> but I do not see a problem with replacing the current test with your
> proposed revision.
> 
I think that Tim's suggestion is a good one.
We should err on the side of being explicit about this sort of thing.

Additionally, some minor nits/suggestions/questions:

section 2.
    current:
        all published signed objects that are verifiable using EE
        certificates [RFC6487] issued by this CA.
    suggested:
        all published signed objects that are verifiable using EE
        certificates [RFC6487] issued by this CA, other than the
        manifest itself.

section 4.2.1 - manifestNumber:
    Should the document describe what should be done if the
    manifestNumber reaches 2^20, or was it judged that this is large
    enough that it will never happen?

    In the latter case, we should mandate that the value be incremented
    *by 1* to avoid the possibility that an implementation increments in
    large enough steps to hit the maximum eventually.

section 4.2.1 - nextUpdate:
    current:
        If the authority alters any of the items that it has published
        in the repository publication point, then the authority MUST
        issue a new manifest before the nextUpdate time.

    I read the above as saying that the manifest must be re-issued
    before the nextUpdate time only if the repository contents have changed.

    Unless I am missing something very obvious, the CA must re-issue the
    manifest before that time, regardless of whether anything has
    changed?

    suggested:
        If the authority alters any of the items that it has published
        in the repository publication point, then the authority MUST
        issue a new manifest.
        In any event, the authority MUST issue a new manifest
        (possibly containing an unchanged fileList) before the
        nextUpdate time.

section 7:
    "... a CRL issued by the CA [RFC6481],corresponding to the scope ..."
                                          ^
                            missing space |

appendix A:
    The ASN.1 module should define an instance of the CONTENT-TYPE
    class:

    ```
    IMPORTS
      CONTENT-TYPE FROM CryptographicMessageSyntax-2010 -- in [RFC6268]
        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
          pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) }

    ct-rpkiManifest CONTENT-TYPE ::=
        { TYPE Manifest IDENTIFIED BY id-ct-rpkiManifest }
    ```

Please let me know if anything requires elaboration.

Cheers,

Ben

v2.23.0 | Report a Bug | By Email